Security Problem Response Team

Microsoft has established the Security Information Response Team to respond to field reports of security problems in all its products, including NT. The team works to create workarounds and fixes for these problems, and depending on the severity of the problem, provides rapid dissemination of the solution to customers. Customers can report security problems to Microsoft in several ways. Microsoft prefers that customers report security issues by emailing them to secure@microsoft.com (customers can encrypt reports mailed to this address), reporting them to their Premier support representative, or reporting them to the Microsoft field sales force. In addition, Microsoft monitors and participates in two mail lists: ntbugtraq@listserv.ntbugtraq.com and bugtraq@netspace.org. Microsoft also obtains input from the Computer Emergency Response Team (CERT) at Carnegie Mellon University. The response team monitors these input sources on a 7x24 basis. When a report of a security problem arrives, the product support staff immediately evaluates it. First they determine whether the problem arose because of an implementation problem (for example, the customer is using an older version of the software) and then reproduces the reported behavior. The product support staff may also get back to the reporting customer if they need more information about the problem. The team refers security problems that pass this initial screening to the responsible developers in the appropriate product area. Those developers then try to find a workaround that affected customers can implement immediately. If this isn't possible, they then attempt to generate a hot fix to the software in question. In either case, the team posts the short-term solution on Microsoft's security Web page and sends an alert to Premier customers. Microsoft says that if it needs to create a hot fix, it tries to do so within 24 to 72 hours, although it can't guarantee these specific response times because testing the fix may sometimes be difficult. In some cases, Microsoft also coordinates with CERT in responding to a vulnerability.